security: 5 polarity fixes — fail-closed in prod, FSM default-on

[bGOATnote]

⛔ Hold until Wed 2026-04-29 13:00 PT (post-judges)

This PR is draft on purpose so it cannot auto-merge before the demo
window. Do not mark ready-for-review until after the Wednesday 1pm
PT cutoff. A scheduled agent will flip the draft state and merge then,
assuming CI is green.

Summary

The 2026-04-27 Glasswing-grade sweep flagged a unifying pattern across
five HIGH and one MEDIUM finding: too many critical controls were
fail-OPEN or opt-IN. This PR flips them to fail-CLOSED /
default-ON.

Live demo behavior is unchanged. The B300 pod's systemd unit
already sets PRISM42_ENABLE_FSM=1, and production already has
PRISM42_WORKER_KEY + ELEVENLABS_SIGNING_SECRET configured. The
polarity flip only changes behavior when an env var is missing — the
exact case the sweep flagged as catastrophic.

Fixes

ID	File	Fix	Severity
H1	mvp/911-console-live/lib/session-store.ts	Math.random() → crypto.randomUUID() for session IDs (chain root for predictable-token attacks)	HIGH
H2	mvp/911-console-live/app/prism42/api/session/[id]/turn/route.ts	503 in production when PRISM42_WORKER_KEY unset	HIGH
H3	mvp/911-console-live/app/prism42/api/chat/completions/route.ts	503 in production when ELEVENLABS_SIGNING_SECRET unset; PRISM42_SKIP_HMAC_PREVIEW hard-blocked in prod	HIGH
H4	infra/b300/setup.sh	Drop ufw allow 7880/tcp (also 7881/tcp) — Caddy terminates TLS in front of 127.0.0.1:7880; public port let attackers bypass TLS	HIGH
H5	agents/livekit/dispatcher_fsm.py	FSM default flipped ON. Opt-out via PRISM42_DISABLE_FSM=1 or PRISM42_ENABLE_FSM=0. Without FSM, the deterministic-dispatcher claim collapses	HIGH (safety-integrity, not just security)
M3	.github/workflows/verify.yml	Drop `

Test plan

• Vercel preview deployment succeeds and behaves identically (preview = VERCEL_ENV !== "production", all escape hatches still open)
• CI verify.yml passes without the || true fallback
• git diff origin/main..HEAD -- mvp/911-console-live/ reviewed by a human before Wed cutoff
• B300 pod posture check: systemctl show prism42-worker -p Environment | grep PRISM42_ENABLE_FSM confirms =1 already set, so flipping the default is a no-op for live behavior
• Post-merge: confirm 7880/tcp is closed on the pod via sudo ufw status

Out of scope (deferred to follow-up PRs)

• M2 (rate-limit + drop-GET on /api/session/start)
• M4 (bump livekit-server compose pin from v1.9.0 → match deployed v1.11.0)
• M5 + L1 (strip Runway _jwt from tracked artifacts; extend pre-commit secret regex)

Why drafted (merge gate)

User directive (2026-04-27): hold for the judge demo window today;
auto-merge after Wed 2026-04-29 13:00 PT. A separate scheduled agent
handles the flip-and-merge.

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
prism42	Ready	Preview, Comment	Jun 2, 2026 12:09am
prism42-console	Ready	Preview, Comment	Jun 2, 2026 12:09am

[bGOATnote]

⚠️ Before merge: this PR silently regresses the FSM reassurance-latch fix from aa23de6.

The dispatcher_fsm.py diff in this PR deletes lines 843-851 of the current file:

# FSM-routing-bug fix (2026-04-27, see
# findings/research/2026-04-27-future-stack/fsm-routing-bug-diagnosis.md §7):
# if reassurance_done is already latched, do NOT re-enter the
# reassurance path. Defer to the after-reassurance helper, which
# handles direct-question routing + advancement to KEY_QUESTIONS
# without re-emitting any DELIVER_REASSURANCE_* intent.
if self.reassurance_done:
    self.state = State.REASSURANCE_DELIVERED
    return self._intent_in_after_reassurance(f, t0)

…and reverts the prompt at line 1218 from "Do NOT add reassurance phrasing — no 'stay with me'…" back to "Reassure the caller…". Net effect: merging as-written reintroduces the exact "I'm with you / stay with me / help is on the way" template-loop bug that findings/research/2026-04-27-future-stack/fsm-routing-bug-diagnosis.md §7 named, and which aa23de6 shipped a fix + 8 regression tests for (tests/voice/test_fsm_reassurance_latch.py, all passing on main).

Per-section read of the PR:

• H1-H4 (session-id crypto.randomUUID, PRISM42_WORKER_KEY fail-closed in prod, ELEVENLABS_SIGNING_SECRET fail-closed, PRISM42_SKIP_HMAC_PREVIEW blocked in prod, drop UFW 7880 exposure) — additive defense, real wins, keep these unchanged.
• H5 (FSM default-on) — the goal is correct, but the implementation deletes a separate bug fix. Also, on the live B300 pod the FSM is already default-on via the 120-cycle2Q-fsm.conf systemd drop-in (PRISM42_ENABLE_FSM=1), so the env-var polarity flip is redundant for prod. It IS additive for environments without the drop-in (preview, fresh pods).
• CI (5/7 red) — the pytest failures are because the PR drops || true from verify.yml:121, unmasking real failures. That's intentional, but the conftest auto-skip for missing private corpus is incomplete. Fix conftest before unmasking.

Recommended rebase path:

1. git fetch origin && git rebase origin/main (35 commits behind).
2. Reconcile dispatcher_fsm.py — preserve the if self.reassurance_done short-circuit at lines 843-851 and the prompt at 1218 ("Do NOT add reassurance phrasing"). The H5 env-var polarity flip can co-exist with the safety fix without touching either.
3. Verify tests/voice/test_fsm_reassurance_latch.py still passes (8 tests).
4. Tighten conftest skip logic so pytest passes when the private corpus is unavailable (or land that as a separate prerequisite PR).

After rebase, H1-H4 + a clean H5 are mergeable.

(Comment from left/H100 session, see findings/ops/parallel-session-coord.md for the parallel-Claude coordination contract this is operating under.)

[bGOATnote]

Auto-merge aborted — 2 blockers as of 2026-04-29 13:00 PT

1. Merge conflicts (mergeable_state: dirty)

The branch has conflicts with main that require human resolution. Rebase or merge main into the branch, resolve conflicts, and push.

2. CI failure: Tests (pytest)

• Job: https://github.com/GOATnote-Inc/prism42/actions/runs/24987191134/job/73163361520
• This is likely a direct consequence of the M3 fix (dropping || true from the pytest step), which now surfaces underlying test failures that were previously masked. The failing tests need to be fixed or confirmed-skipped before this can merge.

No merge attempted. Human action required on both blockers before re-scheduling.

---

Generated by Claude Code